Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jul 2013 01:31:02 +0200
From:      Mateusz Guzik <mjguzik@gmail.com>
To:        Yuri <yuri@rawbw.com>
Cc:        FreeBSD Hackers <hackers@freebsd.org>
Subject:   Re: Should process run under chroot(8) still see mounts on the original system?
Message-ID:  <20130723233102.GA19249@dft-labs.eu>
In-Reply-To: <51EF0EEE.8030000@rawbw.com>
References:  <51EF0EEE.8030000@rawbw.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 23, 2013 at 04:17:02PM -0700, Yuri wrote:
> Currently, mount directories as shown by mount(8) command and
> /compat/linux/dev/mounts from linprocfs(5) still show the original
> mount points as other non-chrooted processes see.
> So, when some program run under chroot tries to read the mount
> points and do something with them it would likely fail because those
> paths aren't what the process actually sees in its file system.
> 
> There are two situations: one when the process was started already
> chrooted (like with command chroot(8)), and another one is when
> process calls chroot(2) itself. Currently system seems to not
> differentiate between these two cases.
> 
> It looks reasonable to automatically modify mount(8) and
> linprocfs(5) results when the process has been started already
> chrooted and this process is (practically) always unaware of chroot.
> So that when chroot was in place when execve(2), kernel could set
> the boolean flag and later adjust mount directories accordingly.
> 

While changing the code to do what you propose would not be that
difficult, I don't see the point. In cases like this you can simply
jail(2) and there you go (or at least this should work just fine).

Of course then you may have some unnecessary separation but that I
believe can be simply worked out if it turns out to be problematic.

-- 
Mateusz Guzik <mjguzik gmail.com>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130723233102.GA19249>